HP 10500 Series Configuration Manual page 93

Authentication status
A user in the Auth-Fail VLAN
passes 802.1X authentication
To perform the 802.1X Auth-Fail VLAN function on a port that performs MAC-based access control, you
must ensure that the port is a hybrid port, and enable MAC-based VLAN on the port.
The network device assigns a hybrid port to an 802.1X Auth-Fail VLAN as an untagged member.
For more information about VLAN configuration and MAC-based VLAN, see Layer 2
Configuration Guide.
Critical VLAN
You configure an 802.1X critical VLAN on a port to accommodate 802.1X users who fail authentication
because none of the RADIUS authentication servers in their ISP domain is reachable (active). Users in the
critical VLAN can access a limit set of network resources depending on your configuration.
The critical VLAN feature takes effect when 802.1X authentication is performed only through RADIUS
servers. If an 802.1X user fails local authentication after RADIUS authentication, the user is not assigned
to the critical VLAN. For more information about RADIUS configuration, see
The way that the network access device handles VLANs on an 802.1X-enabled port differs by 802.1X
access control mode.
1. On a port that performs port-based access control
To perform the 802.1X critical VLAN function on a port that performs MAC-based access control, you
must make sure that the port is a hybrid port, and enable MAC-based VLAN on the port. For more
information about VLAN configuration and MAC-based VLAN, see Layer 2—LAN Switching
Configuration Guide.
Authentication status
A user who has not been assigned to any VLAN
fails 802.1X authentication because all the
RADIUS servers are unreachable.
A user in the 802.1X critical VLAN fails
authentication because all the RADIUS servers
are unreachable.
A user in the 802.1X critical VLAN fails
authentication for any other reason than server
unreachable.
A user in the critical VLAN passes 802.1X
authentication.
VLAN manipulation
Re-maps the MAC address of the user to the server-assigned VLAN.
If the authentication server assigns no VLAN, re-maps the MAC address of the
user to the initial PVID on the port.
VLAN manipulation
Assigns the critical VLAN to the port as the PVID. The
802.1X user and all subsequent 802.1X users on this port
can access only resources in the critical VLAN.
The critical VLAN is still the PVID of the port, and all 802.1X
users on this port are in this VLAN.
If an Auth-Fail VLAN has been configured, the PVID of the
port changes to Auth-Fail VLAN ID, and all 802.1X users on
this port are moved to the Auth-Fail VLAN.
•
Assigns the VLAN specified for the user to the port as the
PVID, and removes the port from the critical VLAN. After
the user logs off, the default or user-configured PVID
restores.
•
If the authentication server assigns no VLAN, the default
or user-configured PVID applies. The user and all
subsequent 802.1X users are assigned to this port VLAN.
After the user logs off, this PVID remains unchanged.
83
LAN Switching
—
"Configuring AAA."